This article was published in the January/February 2014 edition of the Nebraska Banker magazine.
It's always great to have an expert available. When you're involved in legal work, you pay a lawyer. When you throw a banquet, you hire a caterer. When you're a bank, you outsource technology. Tapping into the expertise available to you is one of the wisest things you can do. But when you do that, you're putting a lot of trust in someone else's hands. As the technology industry has moved into the thin air around us, we find ourselves virtually plugging in to services. We see this all the time with banks outsourcing their mission critical applications to companies that specialize in core, accounting, etc. Because of this great shift, the agencies are understandably concerned with the current state of vendor management, making this clear with recently released material on the subject.
Business continuity and contingency planning have been heavily discussed with the most recent focus on vendor management. What are business continuity and contingency planning? Is this not just two ways to say the same thing? The topics are related, but each have very distinct features.
A plan for business continuity is something the vendor must design and provide. Their plan should describe what steps they need to take to restore service in response to an interruption. An interruption could be anything that keeps you from accessing their service, like natural disasters, human error, or attacks on the company. Just like you have a business continuity plan to ensure service continues for your customers, your vendors' top concern should be that their customers receive the service they are paying for. The vendor's business continuity plan is a document that should be reviewed for adequacy and effectiveness on a regular basis for significant vendors.
Contingency planning is something that needs to be worked on by both the vendor and the bank. A contingency plan outlines how bank information will be handled if the vendor relationship comes to an end. This "end" could be for any number of reasons, and you should have a plan for each one when dealing with vendors providing critical services. Some termination scenarios include: the natural end of a contract, the legal breaking of a contract based on unmet expectations, and business failure of the vendor. To be prepared for any of these situations, you (the bank) and the vendor have to work out a plan together for how you can retrieve your data. Being prepared for the unexpected, alternative arrangements should be considered to help you seamlessly transition into another comparable provider. In order to do that, you need to have a pool of comparable providers defined.
Here are some questions to consider as part of any disengagement plans you make:
- Is there a cancelation clause in the contract?
- How will we get any data back from the vendor?
- How long will it take to get the data?
- What form will the data be in?
- Will residual data be left with the vendor?
- Will there be any downtime during the transition?